Access control in assistant api

from doc
: Implement authorization. Before performing reads or writes on assistants, threads, messages, and files, ensure that the end-user is authorized to do so. For example, store in your database the object IDs that the end-user has access to, and check it before fetching the object ID with the API.

I am seeking insights or suggestions regarding the integration of authorization in this context. Specifically, our objective is to utilize Okta OAuth for authentication purposes. This raises the question: Should our front-end interface initiate a process to authenticate users via Okta and obtain an access token, subsequently utilizing this token to determine the permissibility of user actions?

Any advice or recommendations on this matter would be greatly valued. Thank you in advance for your assistance.


Your backend should manage authentication and authorization. Your front-end alone will not suffice :frowning:

thanks, @Diet, sorry, just added one more question here,
does that mean after user auth is done from the front end, the generated access token will be passed to the backend service as well?

It’s been a while, so I could be off on some details

but basically your backend should generate a callback url with a nonce, and generate the oauth url with your application ID that the user will then be redirected to. after that, you’ll get a principal identifier and some verification code. you then check that verification code against a public key or send (from the backend!) it to the auth provider for verification. then you’ll have your user ID confirmed, and you can check in your DB what they have access to.

I think chatgpt should be able to clear up a lot of questions you have on this topic!

1 Like